Hacked? The First Hours Playbook for Your Firm | McDade
What to do in the first hours if you think you have been hacked.
- By Dallas Downey, CLCS
Published July 2, 2026 - Business Insurance
The worst decisions in a cyber incident get made in the first hours, by smart people improvising. This is the playbook we walk clients through, seven steps in order, and the reason step two is a phone number most owners have never dialed.

The answer
Isolate the machine without destroying evidence, then call your cyber carrier's breach hotline before you improvise anything else. The policy exists to put professionals on the phone in the first hour. Speed helps, but sequence matters more, and the sequence fits on one page.
Isolate the device. Do not wipe it, do not power it off
Your instinct will be to make the problem disappear, to delete, reinstall, or shut everything down. Resist it. Disconnecting the machine from the network, unplugging the cable or turning off the wireless connection, stops the bleeding while preserving the evidence that forensics, your carrier, and possibly law enforcement will need.
Wiping a machine can destroy the only record of what was taken, which matters enormously when notification duties depend on knowing exactly that.
Disconnect from the network and leave the machine on. Write down the time. Touch nothing else on it.
Call your cyber carrier's breach hotline
This is the step most owners have never rehearsed, and it is the whole reason breach response coverage exists. The hotline answers around the clock and puts a coordinated team behind you, forensics, breach counsel, and response vendors the carrier has already vetted and priced.
Calling early also protects the claim itself. Many policies expect prompt notice and want their panel involved from the start, and costs incurred before the carrier is looped in can be harder to recover.
Put the hotline number somewhere you can find it without the computer. If you cannot name your hotline today, that is a finding worth fixing this week.
Get breach counsel engaged through the policy
A breach is a legal event before it is a technical one. Breach counsel directs the investigation so the findings are handled properly, reads your notification duties under the applicable rules, and for a law firm, squares the response with the ethics obligations that arrive whether or not you were insured.
Counsel through the policy also means the meter is running on the carrier's dime, not the firm's.
Ask the hotline to engage breach counsel immediately. Route decisions and communications through counsel from that point forward.
Reset credentials and check what the attacker touched
Change passwords and revoke active sessions for the affected accounts, starting with email and any document systems. Turn on multifactor authentication anywhere it is missing.
Check mailboxes for forwarding rules and filters you did not create. Attackers plant them to watch replies and hide their tracks, and they survive a password change if nobody looks.
Reset passwords, revoke sessions, enable multifactor authentication, and inspect mailbox rules on every touched account. The full recognition list is at six signs your team has been phished.
Report it at ic3.gov and preserve everything
The FBI's Internet Crime Complaint Center routes fast reports to the right teams, and in fraud cases fast reporting is the difference in whether anything is recovered. The FBI's advisory to law firms specifically asks victims to preserve the ransom note, the phone numbers and email accounts used, transcripts and voicemails, and the original message that started it.
Preservation is not busywork. The claim, the investigation, and any notification decisions will all ask for the same record.
File at ic3.gov the same day. Save every email, number, message, and screenshot in one place, with times.
Do not negotiate with the attacker on your own
If an extortion demand arrives, the pressure is the product. Deadlines, threats to call your clients, threats to publish. Responding on your own, or paying on your own, can waive coverage that requires the carrier's consent and can put you across the table from a professional negotiator with no professional beside you.
Extortion response is a coverage part on a well built cyber policy, and carriers bring negotiators who have handled the same group before.
Forward any demand to breach counsel and the carrier untouched. No replies, no payments, no solo decisions.
Write the timeline while it is fresh
Who noticed what, when, on which machine, and what was done about it. Memory degrades fast under stress, and every downstream process, the claim, the forensics, the notifications, and your own after action review, will ask for the same sequence of events.
The timeline is also how you find the procedural gap the attacker used, which is the most valuable output of a bad day.
Assign one person to keep the running timeline from hour one. Plain language, exact times, no blame.
Nobody improvises well at two in the morning. That is what the hotline is for.
Dallas Downey, CLCS, Commercial Lines and Workers Compensation Specialist
Sources worth opening before you decide.
This article uses public source material from the FBI's advisory to law firms and the FBI Internet Crime Complaint Center.
The purpose is to replace improvisation with sequence. The FBI describes what to preserve and where to report. What your policy funds in those first hours is answered by its breach response and extortion parts, which is exactly what the review reads before you ever need the number.
Keep reading, then read your policy.
Questions firm owners ask.
Should we pay the ransom?
Not on your own, and not quickly. Payment decisions run through breach counsel and your carrier, both because extortion coverage typically requires the carrier's consent and because professionals who have negotiated with the same groups know what the threats are actually worth. Paying does not guarantee deleted data, and the decision has legal dimensions that deserve counsel.
Who do we call first, our IT provider or our insurance carrier?
Call the carrier's breach hotline first, then your IT provider. The hotline brings forensics and breach counsel with it, which is exactly the help your IT provider will need beside them, and early notice protects the claim. The two calls should happen within minutes of each other either way.
What if we are not sure it is a real breach?
Call anyway. Hotlines exist for exactly this call, and carriers would far rather hear about a false alarm than a late claim. Late notice is one of the most common reasons an otherwise valid cyber claim struggles, and no policy penalizes you for asking early.
What does the cyber policy actually pay for in the first hours?
A well built policy funds the forensic investigation, breach counsel, the response vendors, extortion negotiation support, client notification if it comes to that, and the income lost if systems go down. Whether your policy's parts and sublimits match a modern data theft is a document question. About 40 percent of the time we tell clients to stay with their current carrier because that is the right answer.
What Houston clients say.
Find the hotline number before you need it.
Send us the cyber policy you carry today. We will show you exactly what its first hours look like, the hotline, the panel, the extortion terms, and the sublimits, in plain English, so the worst day of the year runs on sequence instead of improvisation.
Commercial reviews route to our commercial desk and follow your calendar, not ours. Local broker. National infrastructure.
By